Harden auth and client security boundaries

[thegoodduck]

This hardens several high-risk trust boundaries found in the security audit: session token exposure in cookies, mutable auth endpoint routing, private key persistence in localStorage, and unescaped untrusted text in settings alerts.

What changed

• Marked the relay jwt cookie as HttpOnly both when setting and clearing it in relay-server/relay-server-enhanced.js.
• Added a trusted auth origin in src/config.ts (config.auth.api) and updated AuditService auth/session calls (/api/me, vote authorize/confirm, poll-policy, OAuth start) to use it instead of mutable relay overrides.
• Hardened DM key storage in src/services/chatService.ts:
  • keypairs now persist in IndexedDB metadata via StorageService
  • newly generated private keys are non-extractable
  • legacy localStorage keypairs are migrated once and removed
• Escaped user-controlled relay/bootstrap labels before injecting them into alertController content in src/views/SettingsPage.vue.
• Added rel="noopener noreferrer" to the external Tor Browser link in src/views/ResiliencePage.vue.
• Updated src/services/copilot-services.md to reflect chat key storage hardening.
• package-lock.json updated from dependency install during verification.

Notes for reviewers

• Auth/session requests are intentionally pinned to the trusted backend origin and no longer follow runtime relay API overrides.
• The chat key migration path preserves existing users by importing old localStorage keypairs on first run, then deleting the legacy entry.